Chrony: Difference between revisions
imported>Mweinelt No edit summary |
imported>Sorag22 Updated for NTP, and for NTS having certificates automatically created |
||
| Line 1: | Line 1: | ||
Chrony is an NTP and NTS client and server implementation. This means it can synchronize the time of your local machine, as well as provide services to clients on the attached network segments. | Chrony is an NTP and NTS client and server implementation. This means it can synchronize the time of your local machine, as well as provide services to clients on the attached network segments. | ||
== NTP == | |||
This protocol is slowly being phased out due it security concerns, using a more secure method like NTS is recommended. To enable NTP, enable the chrony service and add whichever NTP servers you wish to use | |||
<syntaxhighlight lang="nix"> | |||
{ config | |||
, ... | |||
}; | |||
{ | |||
services.chrony = { | |||
enable = true: | |||
servers = [ "ntp-example.com" ]; | |||
}; | |||
} | |||
</syntaxhighlight> | |||
== NTS == | == NTS == | ||
To enable NTS (Network Time Security), a certificate | To enable NTS (Network Time Security), typically all that needs to be provided is a NTP server capable of NTS. | ||
<syntaxhighlight lang="nix"> | |||
{ config | |||
, ... | |||
}; | |||
{ | |||
services.chrony = { | |||
enable = true: | |||
enableNTS = true: | |||
servers = [ "nts-example.com" ]; | |||
}; | |||
} | |||
</syntaxhighlight> | |||
You can verify that NTS is being used via observing the output of <code>sudo chronyc -N authdata</code> and reading the value under mode, it should read NTS. | |||
=== Troubleshooting === | |||
It is possible that a certificate may need to be manually provided. You can rely on the ACME service to acquire one, but make sure that the certificate group gets assigned to <code>chrony</code>, or else the service will not be able to read the certificate and key after it drops its privileges. | |||
<syntaxhighlight lang="nix"> | <syntaxhighlight lang="nix"> | ||
| Line 10: | Line 41: | ||
}; | }; | ||
let | let | ||
acmePath = config.security.acme.certs." | acmePath = config.security.acme.certs."foo-example.com".directory; | ||
in | in | ||
{ | { | ||
security.acme.certs." | security.acme.certs."foo-example.com" = { | ||
group = "chrony"; | group = "chrony"; | ||
# One of the following challenge method options will need to be provided | |||
# to obtain a self signed cert | |||
webroot = ""; | |||
s3bucket = '""; | |||
dnsProvider = ""; | |||
listenHTTP = ""; | |||
}; | }; | ||
Revision as of 01:21, 28 January 2024
Chrony is an NTP and NTS client and server implementation. This means it can synchronize the time of your local machine, as well as provide services to clients on the attached network segments.
NTP
This protocol is slowly being phased out due it security concerns, using a more secure method like NTS is recommended. To enable NTP, enable the chrony service and add whichever NTP servers you wish to use
{ config
, ...
};
{
services.chrony = {
enable = true:
servers = [ "ntp-example.com" ];
};
}
NTS
To enable NTS (Network Time Security), typically all that needs to be provided is a NTP server capable of NTS.
{ config
, ...
};
{
services.chrony = {
enable = true:
enableNTS = true:
servers = [ "nts-example.com" ];
};
}
You can verify that NTS is being used via observing the output of sudo chronyc -N authdata and reading the value under mode, it should read NTS.
Troubleshooting
It is possible that a certificate may need to be manually provided. You can rely on the ACME service to acquire one, but make sure that the certificate group gets assigned to chrony, or else the service will not be able to read the certificate and key after it drops its privileges.
{ config
, ...
};
let
acmePath = config.security.acme.certs."foo-example.com".directory;
in
{
security.acme.certs."foo-example.com" = {
group = "chrony";
# One of the following challenge method options will need to be provided
# to obtain a self signed cert
webroot = "";
s3bucket = '"";
dnsProvider = "";
listenHTTP = "";
};
services.chrony = {
enable = true:
enableNTS = true:
extraConfig = ''
[...]
ntsservercert ${acmePath}/fullchain.pem
ntsserverkey ${acmePath}/key.pem
'';
};
}